When you send information over the internet without encryption, it’s not a question of if someone is listening. It’s a question of who is listening. Customers want to feel secure and businesses want to make sales. E-commerce security is attainable, but the best practices for maintaining it evolve from year to year. Recent security breaches like Heartbleed and Poodle have reminded us that it’s important to maintain up-to-date on current security factors. Even major corporations like eBay and Target have been shown to have vulnerabilities.
What an e-commerce security environment currently looks like
For e-commerce to work, a customer needs to be able to send payment information to a website in such a way that it can’t be read until it reaches the intended recipient. Secure Sockets Layer, or SSL, is a data encryption technology designed to solve this problem.
The basics of SSL
Although the details of how SSL functions have evolved since its development by Netscape in 1994, it’s been the predominant player in the e-commerce security field ever since, and the padlock and/or green bar a browser displays next to an SSL-secured web address has become practically synonymous with safety on the web. When a site is available at “https://” rather than “http://”, the “s” is telling you that the the communication between client and server is taking place via Hypertext Transfer Protocol that is secured by SSL. It means “HTTP over SSL.” The difference may seem nitpicky, but it’s at the heart of e-commerce security.
How SSL works
Information sent between a client (customer) and server (business) is plain text. SSL encrypts that text before it leaves either end of the arrangement. Both parties have secret keys which allow them to decrypt the data when it arrives. The way this is achieved is rather tricky, since sharing a key to a website securely before a secure channel has been established presents something of a catch-22.
The magic happens in the first few milliseconds when the client navigates to the server’s URL, using an identification tool known as an SSL certificate, which functions as a digital version of a notary. Browsers come built-in with a database of legitimate certificate authorities (e.g. SSL certificate providers), allowing them to check the legitimacy of a certificate and act as a go-between. The process looks like this:
- Client browser requests the server’s SSL Certificate
- Server presents certificate, along with a public key associated with the server
- If the client browser recognizes the certificate as legitimate and current, it sends a key back as confirmation, using the server’s public key to generate this one-way key so that only the server can decrypt it using a related private key that never left the server
- The server sends back an encrypted session key to establish a two-way channel, with both client and server using that session key to decrypt information until the session is terminated
Client and Server Security
SSL is virtually foolproof when it comes to protecting credit card information against man-in-the-middle attacks. Unfortunately, SSL doesn’t work if either the client or server is compromised by hackers, and that’s where other security factors like firewall and platform security come in. Enter PCI/DDS compliance.
Getting audited may sound scary, but PCI/DDS compliance is currently the gold standard of e-commerce security. PCI/DDS ensures security on all fronts, including everything from anti-virus controls to data protection. PCI/DDS compliance is important because it encourages a proactive approach to security. The legal consequences of losing a customer’s credit card information can doom a business. It simply isn’t worth the risk.
Most e-commerce businesses are built on established platform like Magneto, Shopify, or WooCommerce. Platforms are great, but like any software they need regularly updated patches to stay current. E-commerce software is no exception. Maintaining current security patches is especially important with smaller business for whom PCI/DDS compliance may be unrealistic.
The web is fast becoming the primary channel for storing and sharing personal information. With so much information floating around consumers are right to expect security. Recent updates to Google’s search algorithms have been shown to favor secure sites, and online shoppers increasingly expect to see a reassuring padlock icon in their browser before they’ll make a purchase. For e-commerce environments, SSL and other security technologies have become de facto requirements.